Home Original page

wddx parsing empty boolean tag leads to SIGSEGV

Sec Bug #74145 wddx parsing empty boolean tag leads to SIGSEGV
Submitted: 2017-02-22 04:11 UTC Modified: 2018-01-15 12:18 UTC
From: varsleak at gmail dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 5.6Git-2017-02-22 (Git) OS: Ubuntu 16.40 x64
Private report: No CVE-ID: 2017-11143

 [2017-02-22 04:11 UTC] varsleak at gmail dot com

Description:
------------
I use honggfuzz fuzz php, I found that wddx extended Invalid free caused a Denial of Service vulnerability.

The test file: 
https://raw.githubusercontent.com/varsleak/varsleak-vul/master/php-src-vul/crash.xml

Test script:
---------------
<?php
	$data = file_get_contents($argv[1]);
	$wddx = wddx_deserialize($data);
	var_dump($wddx);
?>


Expected result:
----------------
Out put:
`
array(0) {
}
`

no crash.

Actual result:
--------------
USE_ZEND_ALLOC = 0:
`
➜  php-src git:(d2eca4d) ✗ USE_ZEND_ALLOC=0 valgrind --leak-check=full sapi/cli/php ~/php720dev/bin/xmlfuzz.php ~/php720dev/bin/crash.xml
==4388== Memcheck, a memory error detector
==4388== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4388== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4388== Command: sapi/cli/php /home/varsleak/php720dev/bin/xmlfuzz.php /home/varsleak/php720dev/bin/crash.xml
==4388== 
==4388== Invalid free() / delete / delete[] / realloc()
==4388==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4388==    by 0x858B01: _efree (zend_alloc.c:2437)
==4388==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==4388==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==4388==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==4388==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==4388==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==4388==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==4388==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==4388==    by 0x894503: zend_execute_scripts (zend.c:1341)
==4388==    by 0x7F52A0: php_execute_script (main.c:2613)
==4388==    by 0x951273: do_cli (php_cli.c:998)
==4388==  Address 0x300000000 is not stack'd, malloc'd or (recently) free'd
`
USE_ZEND_ALLOC = 1:
`
➜  php-src git:(d2eca4d) ✗ valgrind --leak-check=full sapi/cli/php ~/php720dev/bin/xmlfuzz.php ~/php720dev/bin/crash.xml
==22828== Memcheck, a memory error detector
==22828== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22828== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22828== Command: sapi/cli/php /home/varsleak/php720dev/bin/xmlfuzz.php /home/varsleak/php720dev/bin/crash.xml
==22828== 
==22828== Invalid read of size 8
==22828==    at 0x8558B4: zend_mm_check_ptr (zend_alloc.c:1384)
==22828==    by 0x85751A: _zend_mm_free_int (zend_alloc.c:2068)
==22828==    by 0x858B2B: _efree (zend_alloc.c:2440)
==22828==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==22828==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==22828==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==22828==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==22828==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==22828==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==22828==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==22828==    by 0x894503: zend_execute_scripts (zend.c:1341)
==22828==    by 0x7F52A0: php_execute_script (main.c:2613)
==22828==  Address 0x2ffffffb8 is not stack'd, malloc'd or (recently) free'd
==22828== 
==22828== 
==22828== Process terminating with default action of signal 11 (SIGSEGV)
==22828==  Access not within mapped region at address 0x2FFFFFFB8
==22828==    at 0x8558B4: zend_mm_check_ptr (zend_alloc.c:1384)
==22828==    by 0x85751A: _zend_mm_free_int (zend_alloc.c:2068)
==22828==    by 0x858B2B: _efree (zend_alloc.c:2440)
==22828==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==22828==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==22828==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==22828==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==22828==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==22828==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==22828==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==22828==    by 0x894503: zend_execute_scripts (zend.c:1341)
==22828==    by 0x7F52A0: php_execute_script (main.c:2613)
`

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2017-07-02 21:23 UTC] stas@php.net

-Summary: wddx prase xml lead to Denial of Service. +Summary: wddx parsing empty boolean tag leads to SIGSEGV -Assigned To: +Assigned To: stas

 [2017-07-05 04:13 UTC] stas@php.net

-Status: Assigned +Status: Closed

 [2017-07-06 05:36 UTC] varsleak at gmail dot com

Yes,it was fixed.

thanks.

 [2018-01-15 12:18 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2017-11143